From e4ef5ccb06fe7e47954de05158e7e92bf280b414 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 21 Jan 2021 21:03:11 +0100 Subject: [PATCH] Update Golang to 1.15.7 (#22495) ## What does this PR do? This PR updates the Go version in the repository to 1.15.7. ## Why is it important? Numerous improvements are coming with the new version of Golang. The most noteworthy is the binary sizes are reduced by 5-8%. You can check out the [release notes of Golang 1.15](https://golang.org/doc/go1.15) for more information. Another change is that the deprecated, legacy behaviour of treating the CommonName field on X.509 certificates as a hostname when no Subject Alternative Names are present is now disabled by default. We do not expect users to update their certificates immediately. Thus, the default behaviour is kept for all existing verification modes. Furthermore, a new verification mode is added named `strict`. If this mode is selected Beats expects to have a SAN in the certificate. `verification_mode` | behaviour ------- | ----- `""` | CommonName is checked if no DNSName is available, then full check (previous behaviour) `"strict"` | full check with new strict SAN requirements `"full"` | CommonName is checked if no DNSName is available, then full check (previous behaviour, default value) `"certificate"` | certificate check without hostname (previous behaviour) `"none"` | no check (previous behaviour) The legacy behaviour is going to be removed in the next major version 8.0. We expect users to update their certificates so it does not depend on CommonName. --- .go-version | 2 +- CHANGELOG-developer.next.asciidoc | 1 + CHANGELOG.next.asciidoc | 5 + auditbeat/Dockerfile | 2 +- auditbeat/auditbeat.reference.yml | 36 +++ filebeat/Dockerfile | 2 +- filebeat/filebeat.reference.yml | 36 +++ filebeat/input/kafka/config.go | 2 +- filebeat/input/mqtt/client.go | 2 +- filebeat/inputsource/tcp/server.go | 2 +- filebeat/tests/system/test_tcp_tls.py | 6 + go.mod | 2 +- heartbeat/Dockerfile | 2 +- heartbeat/heartbeat.reference.yml | 36 +++ .../monitors/active/fixtures/expired.cert | 40 ++-- .../monitors/active/fixtures/expired.key | 52 ++--- heartbeat/monitors/active/http/http_test.go | 7 +- journalbeat/Dockerfile | 2 +- journalbeat/journalbeat.reference.yml | 36 +++ libbeat/Dockerfile | 2 +- libbeat/_meta/config/ssl.reference.yml.tmpl | 6 + libbeat/common/transport/tls.go | 2 +- .../transport/tlscommon/ca_pinning_test.go | 185 ++++++++------- libbeat/common/transport/tlscommon/config.go | 4 + .../transport/tlscommon/server_config.go | 4 +- .../transport/tlscommon/testdata/cacert.crt | 24 ++ .../transport/tlscommon/testdata/cacert.key | 27 +++ .../transport/tlscommon/testdata/client1.crt | 48 ++++ .../transport/tlscommon/testdata/client1.key | 27 +++ .../common/transport/tlscommon/tls_config.go | 220 +++++++++++++++--- .../transport/tlscommon/tls_config_test.go | 199 ++++++++++++++++ .../common/transport/tlscommon/tls_test.go | 16 +- libbeat/common/transport/tlscommon/types.go | 2 + .../tlscommon/{verify.go => validhostname.go} | 87 ++++--- .../common/transport/tlscommon/verify_test.go | 110 --------- .../common/transport/transptest/testing.go | 2 +- libbeat/docs/version.asciidoc | 2 +- libbeat/outputs/kafka/config.go | 2 +- metricbeat/Dockerfile | 2 +- metricbeat/helper/server/http/http.go | 2 +- metricbeat/metricbeat.reference.yml | 36 +++ metricbeat/module/http/_meta/Dockerfile | 2 +- metricbeat/module/kafka/metricset.go | 2 +- metricbeat/module/mongodb/metricset.go | 2 +- packetbeat/Dockerfile | 2 +- packetbeat/packetbeat.reference.yml | 36 +++ .../environments/docker/logstash/gencerts.sh | 2 +- .../logstash/pki/tls/certs/logstash.crt | 32 +-- .../logstash/pki/tls/private/logstash.key | 52 ++--- testing/environments/docker/logstash/ssl.conf | 18 ++ winlogbeat/eventlog/bench_test.go | 2 +- winlogbeat/tests/system/test_config.py | 2 +- winlogbeat/winlogbeat.reference.yml | 36 +++ x-pack/auditbeat/auditbeat.reference.yml | 36 +++ .../pipelinemanager/clientLogReader_test.go | 3 +- .../pkg/agent/operation/common_test.go | 4 +- x-pack/elastic-agent/pkg/core/authority/ca.go | 6 +- x-pack/filebeat/filebeat.reference.yml | 36 +++ x-pack/filebeat/input/http_endpoint/input.go | 2 +- .../netflow/decoder/template/test_helpers.go | 5 +- x-pack/functionbeat/Dockerfile | 2 +- .../functionbeat/functionbeat.reference.yml | 24 ++ x-pack/heartbeat/heartbeat.reference.yml | 36 +++ x-pack/libbeat/Dockerfile | 2 +- x-pack/metricbeat/Jenkinsfile.yml | 22 +- x-pack/metricbeat/metricbeat.reference.yml | 36 +++ x-pack/packetbeat/packetbeat.reference.yml | 36 +++ x-pack/winlogbeat/winlogbeat.reference.yml | 36 +++ 68 files changed, 1333 insertions(+), 423 deletions(-) create mode 100644 libbeat/common/transport/tlscommon/testdata/cacert.crt create mode 100644 libbeat/common/transport/tlscommon/testdata/cacert.key create mode 100644 libbeat/common/transport/tlscommon/testdata/client1.crt create mode 100644 libbeat/common/transport/tlscommon/testdata/client1.key create mode 100644 libbeat/common/transport/tlscommon/tls_config_test.go rename libbeat/common/transport/tlscommon/{verify.go => validhostname.go} (59%) delete mode 100644 libbeat/common/transport/tlscommon/verify_test.go create mode 100644 testing/environments/docker/logstash/ssl.conf diff --git a/.go-version b/.go-version index 4ed70fac17d..545fd574d35 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.14.12 +1.15.7 diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 4d40f0c99b3..51a4565e4ff 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -106,3 +106,4 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827] - Update ecszap to v0.3.0 for using ECS 1.6.0 in logs {pull}22267[22267] - Add support for customized monitoring API. {pull}22605[22605] +- Update Go version to 1.15.7. {pull}22495[22495] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2b75b0e9005..c24284950fa 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -986,6 +986,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Affecting all Beats* +- Selecting `full` in `ssl.verification_mode` option will not treat CommonName field in x509 certificates as + a hostname when Subject Alternative Name is not present from v8.0. + Please update your certificates so it contains at least one DNSName instead of relying on CommonName in the new + major version of Beats. + *Filebeat* - The experimental modules for Citrix Netscaler and Symantec Endpoint Protection have been removed. diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index c6d4c0c0735..e5767ab1167 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index ef82491a4dd..7a053b62884 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -529,6 +529,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -656,6 +662,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -853,6 +865,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1009,6 +1027,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1305,6 +1329,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1502,6 +1532,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/filebeat/Dockerfile b/filebeat/Dockerfile index d9707991a5f..8b3983fa8da 100644 --- a/filebeat/Dockerfile +++ b/filebeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 91b1dfa3190..6cf5f8d33fa 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -1409,6 +1409,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1536,6 +1542,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1733,6 +1745,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1889,6 +1907,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2185,6 +2209,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2382,6 +2412,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/filebeat/input/kafka/config.go b/filebeat/input/kafka/config.go index 0e4888b90c3..75a0957744a 100644 --- a/filebeat/input/kafka/config.go +++ b/filebeat/input/kafka/config.go @@ -177,7 +177,7 @@ func newSaramaConfig(config kafkaInputConfig) (*sarama.Config, error) { } if tls != nil { k.Net.TLS.Enable = true - k.Net.TLS.Config = tls.BuildModuleConfig("") + k.Net.TLS.Config = tls.BuildModuleClientConfig("") } if config.Kerberos.IsEnabled() { diff --git a/filebeat/input/mqtt/client.go b/filebeat/input/mqtt/client.go index 701498f3c56..068dca04386 100644 --- a/filebeat/input/mqtt/client.go +++ b/filebeat/input/mqtt/client.go @@ -40,7 +40,7 @@ func createClientOptions(config mqttInputConfig, onConnectHandler func(client li if err != nil { return nil, err } - clientOptions.SetTLSConfig(tlsConfig.BuildModuleConfig("")) + clientOptions.SetTLSConfig(tlsConfig.BuildModuleClientConfig("")) } return clientOptions, nil } diff --git a/filebeat/inputsource/tcp/server.go b/filebeat/inputsource/tcp/server.go index 270ebc9c0c5..42c88693879 100644 --- a/filebeat/inputsource/tcp/server.go +++ b/filebeat/inputsource/tcp/server.go @@ -68,7 +68,7 @@ func (s *Server) createServer() (net.Listener, error) { var l net.Listener var err error if s.tlsConfig != nil { - t := s.tlsConfig.BuildModuleConfig(s.config.Host) + t := s.tlsConfig.BuildServerConfig(s.config.Host) l, err = tls.Listen("tcp", s.config.Host, t) if err != nil { return nil, err diff --git a/filebeat/tests/system/test_tcp_tls.py b/filebeat/tests/system/test_tcp_tls.py index 4001fd863c9..845ade6b288 100644 --- a/filebeat/tests/system/test_tcp_tls.py +++ b/filebeat/tests/system/test_tcp_tls.py @@ -127,6 +127,8 @@ def test_tcp_over_tls_and_verify_invalid_server_without_mutual_auth(self): with pytest.raises(ssl.SSLError): tls.connect((config.get('host'), config.get('port'))) + sock.close() + def test_tcp_over_tls_mutual_auth_fails(self): """ Test filebeat TCP with TLS with default setting to enforce client auth, with bad client certificates @@ -171,6 +173,8 @@ def test_tcp_over_tls_mutual_auth_fails(self): # so that the failure can be reported as an exception when it arrives. tls.recv(1) + sock.close() + def test_tcp_over_tls_mutual_auth_succeed(self): """ Test filebeat TCP with TLS when enforcing client auth with good client certificates. @@ -275,6 +279,8 @@ def test_tcp_tls_with_a_plain_text_socket(self): assert path.isfile(path.join(self.working_dir, "output/" + self.beat_name)) is False + sock.close() + def assert_output(self, output): assert len(output) == 2 assert output[0]["input.type"] == "tcp" diff --git a/go.mod b/go.mod index 1b611711840..b0c1c974fc1 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/beats/v7 -go 1.14 +go 1.15 require ( 4d63.com/tz v1.1.1-0.20191124060701-6d37baae851b diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index f0155d34274..51c2b06d485 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index 37e3e2ed122..e39dfa16d69 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -707,6 +707,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -834,6 +840,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1031,6 +1043,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1187,6 +1205,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1483,6 +1507,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1680,6 +1710,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/heartbeat/monitors/active/fixtures/expired.cert b/heartbeat/monitors/active/fixtures/expired.cert index e39ad893bd6..959486cec37 100644 --- a/heartbeat/monitors/active/fixtures/expired.cert +++ b/heartbeat/monitors/active/fixtures/expired.cert @@ -1,23 +1,21 @@ -----BEGIN CERTIFICATE----- -MIID3zCCAsegAwIBAgIUS+ahW2wxDZ1bT/qYnenS8jrXUcAwDQYJKoZIhvcNAQEL -BQAwfzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1OMRQwEgYDVQQHDAtNaW5uZWFw -b2xpczEVMBMGA1UECgwMRWxhc3RpYywgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmlu -ZzEgMB4GA1UEAwwXZXhwaXJlZHRlc3QuZXhhbXBsZS5uZXQwHhcNMjAwNDIxMTQw -MDE0WhcNMjAwNDIyMTQwMDE0WjB/MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTU4x -FDASBgNVBAcMC01pbm5lYXBvbGlzMRUwEwYDVQQKDAxFbGFzdGljLCBJbmMxFDAS -BgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBdleHBpcmVkdGVzdC5leGFtcGxl -Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKh1iS5EZ7bDSKgW -R3JXAepMIaEewMSdbaoBtuNQb48XJGwI0mudF983a7JxGCSfw9mhVYa4YsSv79UE -XomGrWVrS01Cmf1VRIOmxevWMPhvnE6UH+5VxKUBk5ooNSty4iHkDFy2i5WWjxiv -de6Xqnn/dVQhuT/sW+rU/grCsGcdUwqsWnC547ekqiYRTtyZrdh+U0KRKqy5iBlH -9Woua+CnXmsD7+4MgGekErg9XLRHYveLOmLucbNlAIlRyfMDZL1RlXufcGwhzItz -JNM9N0NJ5bwrpuP0RYlYbbMYal+b1Tn2e8qkMm88hniQkuu69kUpKeewIOr62vIK -tI273GECAwEAAaNTMFEwHQYDVR0OBBYEFKgd6wQcgIdUSjtJREObD+R3q3MPMB8G -A1UdIwQYMBaAFKgd6wQcgIdUSjtJREObD+R3q3MPMA8GA1UdEwEB/wQFMAMBAf8w -DQYJKoZIhvcNAQELBQADggEBADkBqmCUcvVTqu5IIZ5PLz40jdg2luaDHEA6I2Ga -1ioabETfQhXeaNJflojYm0Bzsy2aneVLGM2KaZ76wN0yvib3MZ4miu4C/mDsR3bB -wq7/CAK2AcJXv1jk0vIrK6DhZfA2HaelBkQ8UHwWK7AO+JmS6jozIt1vySwPI1E7 -lMFWbs3bmsSmunj3+66XS2XguUKzFwUIAEOfsPFqT2OMsPIa7weUWuCV/zMi7fuB -HbgVouYvMTve8wx7+ozDk6CyvlRlx20xwdOvXaH3JILw7gTQWcAEWZLcB2ct1Zks -UTtbIAjBV6s0Pm/2/6MxxkDCVVUpwXiiKBRkHxzkgoH7TQw= +MIIDazCCAlOgAwIBAgIUJGs/M/NeLac1U+H58kwZYgSUoMgwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTAxMTgxNTQxNDdaFw0yMTAx +MTkxNTQxNDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDGo1zHFcEZT4gFe24in23O1C1AtCSP2wfZCHyA9Tvj +fak3dgI5BESPHHu8lqo8V4C2ViAnBBoQ9Uq3nd38CdVJyYK5vtrHpTVLK8OIasOD +eMHBwEOMQQN6js9in0lvixBTK2oZOOcONSSxQVFUKIgSfY8sBJViYftkolPmT/OZ +bipzBoikclKDQykM9GAh/IVSQpfC+PIJT31xOXmwvy9zL5eiLDRIsZpuauI6L7/f +RkapMXtDz0QuP3aZ/VZNydagmfrz0LiBfoX7B93ZRAPLmk9KzRb/RTcuxD28d45v +KtZXUr/cR6S5gwqzb1sEaOOR+kz9aeNzwGFl6LmcgpqfAgMBAAGjUzBRMB0GA1Ud +DgQWBBTKlcyCuhJ07eTv/y33LN6/SVB1FzAfBgNVHSMEGDAWgBTKlcyCuhJ07eTv +/y33LN6/SVB1FzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBo +mv85XCM+qNvn7nNXXvI8h7PFBYZAn6trD713liiD4fURjRmQt/EDXo1ZyJhmqm3n +UHqTbQ1srnhz2zTKbBD1m4rby3bu9l0IvoCihNnd3jEzcz6IkT5TqPy6FwQdKoD4 +U0miGvmSyKs7/IyJepy6k+XUI9KSsi4k/ECx4nAvvf05Yv7XtSvPpVPHW6uvLsTu +jv8C8CcND66LrUsqn2CRkiXXX68KJSDPvT4fdNDz1nIykN0AAvVs8rA3R35dgjiR +9aHsDqkqf6QIZ0jCKbZL4Z/j5tj26P1nEUsDeZ46FECipie2z9oZII897X+Yzrcg +d9RKMlVpBwQg/iFD9orw -----END CERTIFICATE----- diff --git a/heartbeat/monitors/active/fixtures/expired.key b/heartbeat/monitors/active/fixtures/expired.key index 2a11440f7aa..3f29313cc4e 100644 --- a/heartbeat/monitors/active/fixtures/expired.key +++ b/heartbeat/monitors/active/fixtures/expired.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCodYkuRGe2w0io -FkdyVwHqTCGhHsDEnW2qAbbjUG+PFyRsCNJrnRffN2uycRgkn8PZoVWGuGLEr+/V -BF6Jhq1la0tNQpn9VUSDpsXr1jD4b5xOlB/uVcSlAZOaKDUrcuIh5AxctouVlo8Y -r3Xul6p5/3VUIbk/7Fvq1P4KwrBnHVMKrFpwueO3pKomEU7cma3YflNCkSqsuYgZ -R/VqLmvgp15rA+/uDIBnpBK4PVy0R2L3izpi7nGzZQCJUcnzA2S9UZV7n3BsIcyL -cyTTPTdDSeW8K6bj9EWJWG2zGGpfm9U59nvKpDJvPIZ4kJLruvZFKSnnsCDq+try -CrSNu9xhAgMBAAECggEBAIc32QYvWESmWeK6B11rI5lqxK+snLT1XLpSp/esb++e -dtjU9/nzXd8JgEP6bZOwPiepTZpW1MjmJA+Lc0rWtMYsqoP4ityDHfzC2CmmgyZX -iFK2qS7I35BHRLA/x/X5QDRN9fJRgJdxA6mf5Xy/dtJ4UDhY3XbHBTzo/IWsoqYQ -4V3WBQYMGlhBArCoOx07pwc9NMTnXwpfe4rUdm3EaGGpe/9JT08JcTyFZfFUeFT1 -lfSYo5i+xPOCQ/FcC5GfWdciyY0c8ej8iwdxZb0kPI4hBu36+D6zD+YoNoC3CQTb -MecRFQ0MeTTuUMCdzFWtg+2FWnJucaLiaK9fKbVzi7UCgYEA0BAlfUdXdeDYMlW3 -2ReeOgH32bchPYwn2UvHYkIhhDp40STVw3BYQ0Zj9yJQXLFaoY1SFhwRJR1kpbSd -IfME/IzR/oMFvRUNQEPQZVH0Mg9FWIXLdXlV4qbU3AyA2r4x+VUCt3jp1n/5rG7g -cmoKBdCXNUAhK30bRGTdXB06Fp8CgYEAz0V+IlkGyDKcyCkja0ypA3AdSod/43az -7HMS3nf32hOFpgQuEtVYZc3NW/rdJFPksnRd6+RlD2nIoHZEa+adl2gESjGH2asw -nhxP/Pr4m8PGZF5BwdILRTVFukf5yrM6g63FgrgA9d+QdCsqoqrctItRyCgcfpL4 -XYXEKVWELP8CgYATxbUKVsFE/n0NK4AxLUFoGc/H7NNH2g3fZIgqGka9HiFlHq8B -x6dbnVDap3QjmucV+ywV1cz7TfPGm4djNoj+xxMdsK3W7i04MjmXp1Yhe7oHU4+m -NkWnKFuKHdYQ84okO6Pqc58lNzwu2sqRlOom60+zS8jbLSRuN3ehzVU72QKBgGm0 -qCo+Ou44maqfCFg9hWiicd3Dkt5feE0bNsFMb5PBJwTO1ux175ojxhqlqshPHLBC -FnAqT7v3mAD1r9lTiIVh3+YysnS5EJdiGw0KtWVDB9fCFkkRpPvLul7RPDw7AZmM -MtGCo8LBHHuSVDEXcG2HK9MnWbjXnWCcyrjFyx3jAoGAYsNGYm+OBr16NNsPtx3S -nRQJz9wqB2mIqNU8rRSjd5EUp03jhHiTEN9DT6iEnLGaTDBUgD2RlPvEVGk1N7FT -nh9tLtg2ytWIC/P+QrKwzdUUa00MSswTxRS3Cmy459UbLBiPgHBJ2h1G7gsiHPOt -erJWqYJ8DXvLzCPdMVzQxj8= +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDGo1zHFcEZT4gF +e24in23O1C1AtCSP2wfZCHyA9Tvjfak3dgI5BESPHHu8lqo8V4C2ViAnBBoQ9Uq3 +nd38CdVJyYK5vtrHpTVLK8OIasODeMHBwEOMQQN6js9in0lvixBTK2oZOOcONSSx +QVFUKIgSfY8sBJViYftkolPmT/OZbipzBoikclKDQykM9GAh/IVSQpfC+PIJT31x +OXmwvy9zL5eiLDRIsZpuauI6L7/fRkapMXtDz0QuP3aZ/VZNydagmfrz0LiBfoX7 +B93ZRAPLmk9KzRb/RTcuxD28d45vKtZXUr/cR6S5gwqzb1sEaOOR+kz9aeNzwGFl +6LmcgpqfAgMBAAECggEAdd93LMSiA80IIIiwQGdvF+8cs2qyz5LgQ1Af4b6kvUhS +ZBDpHMCFlo8GdlDJ0Gj0fj75cW2jsjB9GBzcH7YOFW0439R7q0FEMMlVjNweDSRZ +hgn7i30A/XdFZXa0czaIh3IZ0cHMisfKcE0cX951cNOFZE+L/ge60Grrcp47Je4H +r5F8fBaP2j729fQlpF3Kzl0uYCRqn9CD+KRMmz8nx9ifxmPM4ddVK8Xg8quVSU1x +HyeN7VfF0Hcvsv6+DRiZqgASu9pSggVffEmW4EBRNuJK4RPKFUriTTUTd8DUS39d +xxA4CjM/t+YjQOYcKlZGxxqu+ILPJnSTfyVe+lvp0QKBgQDvi5GRPuVGegO8nPqE +EHn9fh0CuVtRZjr+7YwJmlYY6WsEuVFOGlo+OdPQwk+iJuT187FYc83PwozRRoI+ +NfMC8lByMGXK0deTfCuK422U+PBuXP/U3xEK6rb1plFiNyw37wxivRTvSX/xZ8ZI +u+zS89LmWQn4oX2fbJUjcfol0wKBgQDUSHAv4PgYQutydgm2n2+asY/BeZupKqmR +FUINmcM8zZ6OC37xrT2TZoGT4WfCRJlvsj6Gpwzf6gM+MAluTQJ6ZxdAP8ifsUJT +69lyRL4o11qLvXsIexdHFUDRxv9E0pWQbEOUH7dZnWuZAXOc9sBVQLW7Hb9UJhzU +JNhsjWK8hQKBgESqO0XpQ4uaOiv8y4rDtlRFrEc1nsmMhmjA6x1tkjR95GFsRbQf +tbKUnPUAXhdbEtK10iZKu7pMSFVM4tS2Xjx//TNeUC99S1BJjam4W5cSbMkV+3en +oZkBgwSTcky3CAPYkDJVhQS6iuRGHP6Ib/BgWBoTd9o/YGUsmOuaJlxlAoGAUkH7 +juH64NPVjlXk76oaQfQ6AzuPMN8CM+Dr5n9FoyL+JIaZ2yZJLPvUjCwU27dfSWPl +TKIgoAd62DcfAGnA4xNddB0DLbYvQHusl9XBZewE/w8eRKwF2hqHMoKM2etL31nE +WfpsPsJ8Nh7U4ObQonhfszEUuZPHKgFZB79Fmk0CgYB0XEuZuSva3uKACbQQS2L2 +jeO23cmE+rSdfw9tL6O2OLZkKbDkHxMXu/G305ciyW+Hmw4CwC6B2IDJuCjzYGVr +7FL/XP0d/pksOIqjNi2VQvARO+7NStXqcgmB9p/vlyYkKLIcGKQ2w169QaNOLylc +L/DKQsIUqMqNsRcd4at/Kg== -----END PRIVATE KEY----- diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go index 2e5a43656ad..cd2c03dee3f 100644 --- a/heartbeat/monitors/active/http/http_test.go +++ b/heartbeat/monitors/active/http/http_test.go @@ -626,7 +626,12 @@ func TestNewRoundTripper(t *testing.T) { require.NotNil(t, transp.Dial) require.NotNil(t, transport.TLSDialer) - require.Equal(t, (&tlscommon.TLSConfig{}).ToConfig(), transp.TLSClientConfig) + expected := (&tlscommon.TLSConfig{}).ToConfig() + require.Equal(t, expected.InsecureSkipVerify, transp.TLSClientConfig.InsecureSkipVerify) + // When we remove support for the legacy common name treatment + // this test has to be adjusted, as we will not depend on our + // VerifyConnection callback. + require.NotNil(t, transp.TLSClientConfig.VerifyConnection) require.True(t, transp.DisableKeepAlives) }) } diff --git a/journalbeat/Dockerfile b/journalbeat/Dockerfile index 6df4d47d885..36af746307c 100644 --- a/journalbeat/Dockerfile +++ b/journalbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index 7e875edcf8e..1eb7814f834 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -472,6 +472,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -599,6 +605,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -796,6 +808,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -952,6 +970,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1248,6 +1272,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1445,6 +1475,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/libbeat/Dockerfile b/libbeat/Dockerfile index b7dde2b92cf..cc9829656ed 100644 --- a/libbeat/Dockerfile +++ b/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/libbeat/_meta/config/ssl.reference.yml.tmpl b/libbeat/_meta/config/ssl.reference.yml.tmpl index 88f638e21b0..69b666f9c97 100644 --- a/libbeat/_meta/config/ssl.reference.yml.tmpl +++ b/libbeat/_meta/config/ssl.reference.yml.tmpl @@ -7,6 +7,12 @@ # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. +# * strict, which verifies that the provided certificate is signed by a trusted +# authority (CA) and also verifies that the server's hostname (or IP address) +# matches the names identified within the certificate. If the Subject Alternative +# Name is empty, it returns an error. +# * certificate, which verifies that the provided certificate is signed by a +# trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/libbeat/common/transport/tls.go b/libbeat/common/transport/tls.go index 0373297fd00..10ece84dc47 100644 --- a/libbeat/common/transport/tls.go +++ b/libbeat/common/transport/tls.go @@ -62,7 +62,7 @@ func TestTLSDialer( tlsConfig = lastTLSConfig } if tlsConfig == nil { - tlsConfig = config.BuildModuleConfig(host) + tlsConfig = config.BuildModuleClientConfig(host) lastNetwork = network lastAddress = address lastTLSConfig = tlsConfig diff --git a/libbeat/common/transport/tlscommon/ca_pinning_test.go b/libbeat/common/transport/tlscommon/ca_pinning_test.go index c188a20e63a..ac441225090 100644 --- a/libbeat/common/transport/tlscommon/ca_pinning_test.go +++ b/libbeat/common/transport/tlscommon/ca_pinning_test.go @@ -44,22 +44,22 @@ var ser int64 = 1 func TestCAPinning(t *testing.T) { host := "127.0.0.1" - t.Run("when the ca_sha256 field is not defined we use normal certificate validation", - func(t *testing.T) { - cfg := common.MustNewConfigFrom(map[string]interface{}{ - "certificate_authorities": []string{"ca_test.pem"}, - }) + t.Run("when the ca_sha256 field is not defined we use normal certificate validation", func(t *testing.T) { + cfg := common.MustNewConfigFrom(map[string]interface{}{ + "verification_mode": "strict", + "certificate_authorities": []string{"ca_test.pem"}, + }) - config := &Config{} - err := cfg.Unpack(config) - require.NoError(t, err) + config := &Config{} + err := cfg.Unpack(config) + require.NoError(t, err) - tlsCfg, err := LoadTLSConfig(config) - require.NoError(t, err) + tlsCfg, err := LoadTLSConfig(config) + require.NoError(t, err) - tls := tlsCfg.BuildModuleConfig(host) - require.Nil(t, tls.VerifyPeerCertificate) - }) + tls := tlsCfg.BuildModuleClientConfig(host) + require.Nil(t, tls.VerifyConnection) + }) t.Run("when the ca_sha256 field is defined we use CA cert pinning", func(t *testing.T) { cfg := common.MustNewConfigFrom(map[string]interface{}{ @@ -73,83 +73,93 @@ func TestCAPinning(t *testing.T) { tlsCfg, err := LoadTLSConfig(config) require.NoError(t, err) - tls := tlsCfg.BuildModuleConfig(host) - require.NotNil(t, tls.VerifyPeerCertificate) + tls := tlsCfg.BuildModuleClientConfig(host) + require.NotNil(t, tls.VerifyConnection) }) t.Run("CA Root -> Certificate and we have the CA root pin", func(t *testing.T) { - msg := []byte("OK received message") - - ca, err := genCA() - require.NoError(t, err) - - serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false) - require.NoError(t, err) - - mux := http.NewServeMux() - mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - w.WriteHeader(http.StatusOK) - w.Write(msg) - }) - - // Select a random available port from the OS. - addr := "localhost:0" - - l, err := net.Listen("tcp", addr) - - server := &http.Server{ - Handler: mux, - TLSConfig: &tls.Config{ - Certificates: []tls.Certificate{ - serverCert, - }, - }, - } - - // Start server and shut it down when the tests are over. - go server.ServeTLS(l, "", "") - defer l.Close() - - // Root CA Pool - require.NoError(t, err) - rootCAs := x509.NewCertPool() - rootCAs.AddCert(ca.Leaf) - - // Get the pin of the RootCA. - pin := Fingerprint(ca.Leaf) - - tlsC := &TLSConfig{ - RootCAs: rootCAs, - CASha256: []string{pin}, + verificationModes := []TLSVerificationMode{ + VerifyFull, + VerifyStrict, + VerifyCertificate, } - - config := tlsC.BuildModuleConfig("localhost") - hostToConnect := l.Addr().String() - - transport := &http.Transport{ - TLSClientConfig: config, + for _, mode := range verificationModes { + t.Run(mode.String(), func(t *testing.T) { + msg := []byte("OK received message") + + ca, err := genCA() + require.NoError(t, err) + + serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false) + require.NoError(t, err) + + mux := http.NewServeMux() + mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + w.Write(msg) + }) + + // Select a random available port from the OS. + addr := "localhost:0" + + l, err := net.Listen("tcp", addr) + + server := &http.Server{ + Handler: mux, + TLSConfig: &tls.Config{ + Certificates: []tls.Certificate{ + serverCert, + }, + }, + } + + // Start server and shut it down when the tests are over. + go server.ServeTLS(l, "", "") + defer l.Close() + + // Root CA Pool + require.NoError(t, err) + rootCAs := x509.NewCertPool() + rootCAs.AddCert(ca.Leaf) + + // Get the pin of the RootCA. + pin := Fingerprint(ca.Leaf) + + tlsC := &TLSConfig{ + Verification: mode, + RootCAs: rootCAs, + CASha256: []string{pin}, + } + + config := tlsC.BuildModuleClientConfig("localhost") + hostToConnect := l.Addr().String() + + transport := &http.Transport{ + TLSClientConfig: config, + } + + client := &http.Client{Transport: transport} + + port := strings.TrimPrefix(hostToConnect, "127.0.0.1:") + + req, err := http.NewRequest("GET", "https://localhost:"+port, nil) + require.NoError(t, err) + resp, err := client.Do(req) + require.NoError(t, err) + content, err := ioutil.ReadAll(resp.Body) + require.NoError(t, err) + + assert.True(t, bytes.Equal(msg, content)) + + // 1. create key-pair + // 2. create pin + // 3. start server + // 4. Connect + // 5. Check wrong key do not work + // 6. Check good key work + // 7. check plain text fails to work. + }) } - - client := &http.Client{Transport: transport} - - port := strings.TrimPrefix(hostToConnect, "127.0.0.1:") - - req, err := http.NewRequest("GET", "https://localhost:"+port, nil) - require.NoError(t, err) - resp, err := client.Do(req) - require.NoError(t, err) - content, err := ioutil.ReadAll(resp.Body) - require.NoError(t, err) - - assert.True(t, bytes.Equal(msg, content)) - - // 1. create key-pair - // 2. create pin - // 3. start server - // 4. Connect - // 5. Check wrong key do not work - // 6. Check good key work - // 7. check plain text fails to work. }) t.Run("CA Root -> Intermediate -> Certificate and we receive the CA Root Pin", func(t *testing.T) { @@ -205,7 +215,7 @@ func TestCAPinning(t *testing.T) { CASha256: []string{pin}, } - config := tlsC.BuildModuleConfig("localhost") + config := tlsC.BuildModuleClientConfig("localhost") hostToConnect := l.Addr().String() transport := &http.Transport{ @@ -279,7 +289,7 @@ func TestCAPinning(t *testing.T) { CASha256: []string{pin}, } - config := tlsC.BuildModuleConfig("localhost") + config := tlsC.BuildModuleClientConfig("localhost") hostToConnect := l.Addr().String() transport := &http.Transport{ @@ -343,6 +353,7 @@ func genCA() (tls.Certificate, error) { func genSignedCert(ca tls.Certificate, keyUsage x509.KeyUsage, isCA bool) (tls.Certificate, error) { // Create another Cert/key cert := &x509.Certificate{ + DNSNames: []string{"localhost"}, SerialNumber: big.NewInt(2000), Subject: pkix.Name{ CommonName: "localhost", diff --git a/libbeat/common/transport/tlscommon/config.go b/libbeat/common/transport/tlscommon/config.go index 8d7650eb5bf..30009c2b13b 100644 --- a/libbeat/common/transport/tlscommon/config.go +++ b/libbeat/common/transport/tlscommon/config.go @@ -21,6 +21,8 @@ import ( "crypto/tls" "github.com/joeshaw/multierror" + + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" ) // Config defines the user configurable options in the yaml file. @@ -96,6 +98,8 @@ func LoadTLSConfig(config *Config) (*TLSConfig, error) { // Validate values the TLSConfig struct making sure certificate sure we have both a certificate and // a key. func (c *Config) Validate() error { + cfgwarn.Deprecate("8.0.0", "Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed.") + return c.Certificate.Validate() } diff --git a/libbeat/common/transport/tlscommon/server_config.go b/libbeat/common/transport/tlscommon/server_config.go index 866d6e3c28c..e85a0c409c3 100644 --- a/libbeat/common/transport/tlscommon/server_config.go +++ b/libbeat/common/transport/tlscommon/server_config.go @@ -28,13 +28,14 @@ import ( // ServerConfig defines the user configurable tls options for any TCP based service. type ServerConfig struct { Enabled *bool `config:"enabled"` - VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full' + VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full', 'strict', 'certificate' Versions []TLSVersion `config:"supported_protocols"` CipherSuites []tlsCipherSuite `config:"cipher_suites"` CAs []string `config:"certificate_authorities"` Certificate CertificateConfig `config:",inline"` CurveTypes []tlsCurveType `config:"curve_types"` ClientAuth tlsClientAuth `config:"client_authentication"` //`none`, `optional` or `required` + CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"` } // LoadTLSServerConfig tranforms a ServerConfig into a `tls.Config` to be used directly with golang @@ -88,6 +89,7 @@ func LoadTLSServerConfig(config *ServerConfig) (*TLSConfig, error) { CipherSuites: cipherSuites, CurvePreferences: curves, ClientAuth: tls.ClientAuthType(config.ClientAuth), + CASha256: config.CASha256, }, nil } diff --git a/libbeat/common/transport/tlscommon/testdata/cacert.crt b/libbeat/common/transport/tlscommon/testdata/cacert.crt new file mode 100644 index 00000000000..debdf7e246e --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/cacert.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL +BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u +dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 +MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG +UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV +BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW +ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo +yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu +5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP +7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI +p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a +tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB +nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP +BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU +XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P +dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg +blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn +in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug +B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq +A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/cacert.key b/libbeat/common/transport/tlscommon/testdata/cacert.key new file mode 100644 index 00000000000..e864b93ed66 --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/cacert.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArV7J/lQq1om7raAcjORHiCtvV2H3wcDe/BHjYw3WmWajBeMB +mWes9sUFx+phcfptYI53+UdqqMn3p7WB+VUWc+QBLQRj7DqjH31fbuT5B0qP9opQ +l+NHgVaebt6oemhT2eQyqnsVruY1DGKJU16bwLTC+WGzB/V71uqZ+VgKsBzyzXvn +1bj4OLSTdLv339MCqklASIVTj+xD4c98i35QAknII/iz18/+YLVF3vUUeUQfM8lh +nzS/dXqFVWgKXHaeJCFPgx5oCKfk+AqYHWFrGLjlh+PRe0Sci6aHFFOB/oXnguPs +x9CyFHBC2vp/zNg1A1t0RNdPWrb/ThCSkfP2BwIDAQABAoIBAQCQmLJYENL5xD5n +/VZSnEKc670dYHRHgRl5m2HPR8doghYN3tuCmtnDp2e+6VkEux1mnuypWEs5I9oO +YnBZCAKF/fCNH1BHwlAy/1oNH6Qj1Khls86sH7+PvDK/va0/CqyE2rL3RVk8Wnx8 +K+LlSc8V1q2XWUj8pl33TgvFzwx6/QpmGa1ofK84GaeWNskRt8xyf2HECiRl6ZFm +zZr2Ror3nRbgZK9FYWpcp6HUgxAH/8GQ3+8vMvftfTsDGD5TmmEq6CFgAFCVj92L +d7AZmNWR1483NzZF0HWOQ6ew9qrWkqVpER7kKKp/kkfoh2qXgvtQBTrw4IcCRwwa +szaSsIEBAoGBANiqXhBzPQJszm1Ajln07ZeyvgRB8PgzZXcAHS9AfGqh/mGQw5/X +3vqHdGiEynphoYtNqK1YT7RH7pkjkpqDzdunZGz1xog7i4ys8kVtivkDGlhn6cXI +4wmFcmyCaf76VPPr1RX8PNjsEKDK3jq1d86lBjSLPgcHT7J16WZgOcJnAoGBAMzY +QVNpjk1WNT7gid3MUXciIIZAovej4AiVyn97XxxLSyByXmNds65f3dM8NOJkJUvT +iV7pAjKl9pd1lE+WTNQSjCgSxw7G+4u9cQfNE7p6klAh/Rek76Mani9rAmQ2PdJl +EFaEgLom3wbR5eOkYURjw2jfqzFYQ8T1YZkWBithAoGAa3EYkknDIFe6ifzwWnWV ++Jr/lXbpuvspvrhEwLDWwb4xOkqiZ7qR7WSMemQXUFbn1/+bvNJFPB5LmI9GXO8t +f1Zj+5BpchctHYaJ4Znvx4odX2ewSo9S3t7ZHiwRygpzZD43fd6Ggf+WQ1Y2m6Bv +l/7Hs/i0uqGKiPHl2wmuutMCgYABZN9c7/T19cY6/VAy4DcVtne+MiZpxQW7STmt +kGtfR+vk9qJJztNwNlrOGzTI7aGLWI8wxCktqw94jGZL/FvdfZrSkv4jzZrcopdo +VC70L+1a+kA8rvSqiX3WGMZVZEEbc3CfBhvSKH2QEFGeMPowevVTe2Iw3cboSjs1 +zX6RQQKBgFV7gOstMfvixCSUCD2s5j/skhNJsB3Wd/tVYRbl/vgA6hHW8UOy2oWv +UTE45vJNVzRv030G5katjOYhlxHf9rpeSAbeIyty54I3X9/vDJZLXwe8WilQjUr7 +Dw8yNwH44j/0s8xcQXG8yE0h1Aa9GxHHtJtYrRYdx7sSwNHtwpnp +-----END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/testdata/client1.crt b/libbeat/common/transport/tlscommon/testdata/client1.crt new file mode 100644 index 00000000000..c3139a72a77 --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/client1.crt @@ -0,0 +1,48 @@ +-----BEGIN CERTIFICATE----- +MIIEFzCCAv+gAwIBAgIUeaB7uk2DjAM2cuRl0kaE9ly7Lj4wDQYJKoZIhvcNAQEL +BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u +dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 +MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBmMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG +UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDzANBgNV +BAsMBnNlcnZlcjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6 +hdpzNpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n +26nDMY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL5 +5qTPRJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Z +zd0W3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjU +mt+N/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABo4HQMIHNMAwGA1Ud +EwEB/wQCMAAwHQYDVR0OBBYEFAuDdHxE9/Zr7iVwfnUJ/lRtJnZkMIGNBgNVHSME +gYUwgYKAFH8hDdUHuxZVmvtkQZ5fFXeGQhZCoVSkUjBQMQswCQYDVQQGEwJDQTEP +MA0GA1UECAwGUXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVh +dHMxDTALBgNVBAsMBHJvb3SCFF8Gy28Bo1lpUDazFLHQ6Ss3hosRMA4GA1UdDwEB +/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAQEACzuX6AiVHk5Igs/LdOW2sJ9lm95N +Su1PQCobM0Jo8wX3pDAEQlLmaWTDcr4bfrQPfI8pih1F89DQU9z0nzNCRfxiQaA7 +myF8ftvf8v5j3LpaPWlkdWgCRieCl58fgy5vtcKx73eTY4a6SRB4zbWpl0rX9H6w +En1kQbpCJDzh8W+xmr8AKvY77CSC1vt7TaKan6F+fGwbt8kIng6P6C7dvMGsDKQN +2Tiq/wtH16DB8mOeO+zfxJfa84TPWL4UcSbZJ8w5Fyz4GJormaymxJGtKv58RO7J +u63WF9vlEnKGyqY1FckTsp3P9ivGEb/Y75+NyRwmNq5VO5BPrRBMOF3VAg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL +BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u +dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 +MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG +UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV +BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW +ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo +yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu +5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP +7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI +p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a +tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB +nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP +BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU +XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P +dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg +blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn +in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug +B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq +A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/client1.key b/libbeat/common/transport/tlscommon/testdata/client1.key new file mode 100644 index 00000000000..ce5274b758f --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/client1.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6hdpz +NpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n26nD +MY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL55qTP +RJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Zzd0W +3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjUmt+N +/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABAoIBABdTza7JKHZCT9ck +04vBX2KVIVrA50VScNOkNVuIYVmihEJJDI9N5asZhRtykHkmeqKlzGCBE63asf85 +1vrjAVhQ+KoCGLpUWxXgPbbzcS3wqKaGy9cIJT65957Z5Rz8zAvjMb0rkXHryOvR +iMaTGkM1KRcntZ3L5zr06HSk6J7K8QCEexKHl7Q7Ki1498tvBWdJGeGWRiUtI89j +wOUdcf3pVSVqI7J8gmmqVwNrVMbVxhlen7nkckXofWAackYVQDBD+hU1n3doNKLa +NP6mZkI02BOB29WLDXLuHtKDZtgnXex4JUz6zw53uV42FCDoQf3DUiVsMEL8xRCJ +27H6bwECgYEA/w53zS00mNdYdXO7dGhAw3UYPc3PDyg6Z823BQzfdOzsn5Yw0BIw +nPgstzwzOL0kw2p/PgwkG/7LOsF5CWs2xvU3LhUdOhgmw4B5IbMOYvbkVoYGz+22 +HJf4qyexAr7tKCITB+LCzUwoAgXp8uju1XdLVpk6xmJ3u+kIhMYTxkUCgYEA3wgx +71/uIUsoW6bVL5K00yXPWTTFtTBWM768VJ8Y++k2igPgcvKaBVaElr4AbvX5iCGz +1Ycc9xsGAYAo7+q4D+4cuOki/m0PMKD3DgXWpTtN0kJ+npWUBdE98NyDlTJYsa/w +xjeMQoDvC8tE2bAiwtVIOPQL2C/3emqkJcsVcDMCgYB8NeOJ/DXdKSJfMJldu1eu +2FuR3aS00PaAjuJOh1JbcvZZUZ879V/PUd0U7zBStWot8LM+2FLNf2whlQ8I0zm9 +8rWIr6eoHxLhqrNTAgxDjdDtgh/XKwDBNBFZ6N5/Y9PC87Uo5fnQWQIy2gZw0Zde +RdZeugixjEqbLIWFg6ElsQKBgHRy6O+c3M6RWU8ROnoOVU9xjGN9REUoKbn2uopM +T1UoHQvOnmAl/vkOhUfXiI5m65SCVE0GsL7sYyRhb/5kRRo8Ls71GwpQkv/G63ds +4PeAkU9Y3JecbZ7j8z1RRXqewOR1gndcBWWrwCQeS6KFboDfr0fdVFnaIZLPH0mE +UXs1AoGBAM3zpcyl5o99dO6x9N/8SSnyLT9TzzbJ6pU6d0F0ELn3OxTUBH1oA1dy +q1fADcRgN5vNuJljY4es/scK2BMeX1isFitXoIzk01F4R61xoXr8T33731eXFG6L +ehoECH2Yj9H4qNbVW531iYKheuSyaMaxCxaDoK9jBzcKaxMGbTlc +-----END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 22cebb2bf8d..9e7eb4548db 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -20,8 +20,12 @@ package tlscommon import ( "crypto/tls" "crypto/x509" + "fmt" + "net" "time" + "github.com/pkg/errors" + "github.com/elastic/beats/v7/libbeat/logp" ) @@ -75,8 +79,13 @@ type TLSConfig struct { time func() time.Time } -// ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with +var ( + MissingPeerCertificate = errors.New("missing peer certificates") +) + +// ToConfig generates a tls.Config object. Note, you must use BuildModuleClientConfig to generate a config with // ServerName set, use that method for servers with SNI. +// By default VerifyConnection is set to client mode. func (c *TLSConfig) ToConfig() *tls.Config { if c == nil { return &tls.Config{} @@ -84,36 +93,37 @@ func (c *TLSConfig) ToConfig() *tls.Config { minVersion, maxVersion := extractMinMaxVersion(c.Versions) - // When we are using the CAsha256 pin to validate the CA used to validate the chain, - // or when we are using 'certificate' TLS verification mode, we add a custom callback - verifyPeerCertFn := makeVerifyPeerCertificate(c) - - insecure := c.Verification != VerifyFull + insecure := c.Verification != VerifyStrict if c.Verification == VerifyNone { logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.") } - return &tls.Config{ - MinVersion: minVersion, - MaxVersion: maxVersion, - Certificates: c.Certificates, - RootCAs: c.RootCAs, - ClientCAs: c.ClientCAs, - InsecureSkipVerify: insecure, - CipherSuites: c.CipherSuites, - CurvePreferences: c.CurvePreferences, - Renegotiation: c.Renegotiation, - ClientAuth: c.ClientAuth, - VerifyPeerCertificate: verifyPeerCertFn, - Time: c.time, + MinVersion: minVersion, + MaxVersion: maxVersion, + Certificates: c.Certificates, + RootCAs: c.RootCAs, + ClientCAs: c.ClientCAs, + InsecureSkipVerify: insecure, + CipherSuites: c.CipherSuites, + CurvePreferences: c.CurvePreferences, + Renegotiation: c.Renegotiation, + ClientAuth: c.ClientAuth, + Time: c.time, + VerifyConnection: makeVerifyConnection(c), } } // BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`. -func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { +func (c *TLSConfig) BuildModuleClientConfig(host string) *tls.Config { if c == nil { // use default TLS settings, if config is empty. - return &tls.Config{ServerName: host} + return &tls.Config{ + ServerName: host, + InsecureSkipVerify: true, + VerifyConnection: makeVerifyConnection(&TLSConfig{ + Verification: VerifyFull, + }), + } } config := c.ToConfig() @@ -121,33 +131,169 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { return config } -// makeVerifyPeerCertificate creates the verification combination of checking certificate pins and skipping host name validation depending on the config -func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { - pin := len(cfg.CASha256) > 0 - skipHostName := cfg.Verification == VerifyCertificate - - if pin && !skipHostName { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - return verifyCAPin(cfg.CASha256, verifiedChains) +// BuildServerConfig takes the TLSConfig and transform it into a `tls.Config` for server side objects. +func (c *TLSConfig) BuildServerConfig(host string) *tls.Config { + if c == nil { + // use default TLS settings, if config is empty. + return &tls.Config{ + ServerName: host, + InsecureSkipVerify: true, + VerifyConnection: makeVerifyServerConnection(&TLSConfig{ + Verification: VerifyFull, + }), } } - if pin && skipHostName { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - _, _, err := verifyCertificateExceptServerName(rawCerts, cfg) + config := c.ToConfig() + config.ServerName = host + config.VerifyConnection = makeVerifyServerConnection(c) + return config +} + +func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { + switch cfg.Verification { + case VerifyFull: + return func(cs tls.ConnectionState) error { + // On the client side, PeerCertificates can't be empty. + if len(cs.PeerCertificates) == 0 { + return MissingPeerCertificate + } + + opts := x509.VerifyOptions{ + Roots: cfg.RootCAs, + Intermediates: x509.NewCertPool(), + } + err := verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) if err != nil { return err } - return verifyCAPin(cfg.CASha256, verifiedChains) + return verifyHostname(cs.PeerCertificates[0], cs.ServerName) + } + case VerifyCertificate: + return func(cs tls.ConnectionState) error { + // On the client side, PeerCertificates can't be empty. + if len(cs.PeerCertificates) == 0 { + return MissingPeerCertificate + } + + opts := x509.VerifyOptions{ + Roots: cfg.RootCAs, + Intermediates: x509.NewCertPool(), + } + return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) + } + case VerifyStrict: + if len(cfg.CASha256) > 0 { + return func(cs tls.ConnectionState) error { + return verifyCAPin(cfg.CASha256, cs.VerifiedChains) + } } + default: } - if !pin && skipHostName { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - _, _, err := verifyCertificateExceptServerName(rawCerts, cfg) - return err + return nil + +} + +func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error { + switch cfg.Verification { + case VerifyFull: + return func(cs tls.ConnectionState) error { + if len(cs.PeerCertificates) == 0 { + if cfg.ClientAuth == tls.RequireAndVerifyClientCert { + return MissingPeerCertificate + } + return nil + } + + opts := x509.VerifyOptions{ + Roots: cfg.ClientCAs, + Intermediates: x509.NewCertPool(), + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, + } + err := verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) + if err != nil { + return err + } + return verifyHostname(cs.PeerCertificates[0], cs.ServerName) + } + case VerifyCertificate: + return func(cs tls.ConnectionState) error { + if len(cs.PeerCertificates) == 0 { + if cfg.ClientAuth == tls.RequireAndVerifyClientCert { + return MissingPeerCertificate + } + return nil + } + + opts := x509.VerifyOptions{ + Roots: cfg.ClientCAs, + Intermediates: x509.NewCertPool(), + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, + } + return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) + } + case VerifyStrict: + if len(cfg.CASha256) > 0 { + return func(cs tls.ConnectionState) error { + return verifyCAPin(cfg.CASha256, cs.VerifiedChains) + } } + default: + } + + return nil + +} + +func verifyCertsWithOpts(certs []*x509.Certificate, casha256 []string, opts x509.VerifyOptions) error { + for _, cert := range certs[1:] { + opts.Intermediates.AddCert(cert) + } + verifiedChains, err := certs[0].Verify(opts) + if err != nil { + return err } + if len(casha256) > 0 { + return verifyCAPin(casha256, verifiedChains) + } return nil } + +func verifyHostname(cert *x509.Certificate, hostname string) error { + if hostname == "" { + return nil + } + // check if the server name is an IP + ip := hostname + if len(ip) >= 3 && ip[0] == '[' && ip[len(ip)-1] == ']' { + ip = ip[1 : len(ip)-1] + } + parsedIP := net.ParseIP(ip) + if parsedIP != nil { + for _, certIP := range cert.IPAddresses { + if parsedIP.Equal(certIP) { + return nil + } + } + return x509.HostnameError{Certificate: cert, Host: hostname} + } + + dnsnames := cert.DNSNames + if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { + if cert.Subject.CommonName != "" { + dnsnames = []string{cert.Subject.CommonName} + } + } + + for _, name := range dnsnames { + if len(name) > 0 && len(hostname) > 0 && name == hostname { + if !validHostname(name, true) { + return fmt.Errorf("invalid hostname in cert") + } + return nil + } + } + return x509.HostnameError{Certificate: cert, Host: hostname} +} diff --git a/libbeat/common/transport/tlscommon/tls_config_test.go b/libbeat/common/transport/tlscommon/tls_config_test.go new file mode 100644 index 00000000000..1490664d3d3 --- /dev/null +++ b/libbeat/common/transport/tlscommon/tls_config_test.go @@ -0,0 +1,199 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package tlscommon + +import ( + "crypto/tls" + "crypto/x509" + "encoding/pem" + "io/ioutil" + "path/filepath" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestMakeVerifyServerConnection(t *testing.T) { + testCerts, err := openTestCerts() + if err != nil { + t.Fatalf("failed to open test certs: %+v", err) + } + + testCA, errs := LoadCertificateAuthorities([]string{filepath.Join("testdata", "cacert.crt")}) + if len(errs) > 0 { + t.Fatalf("failed to load test certificate authorities: %+v", errs) + } + + testcases := map[string]struct { + verificationMode TLSVerificationMode + clientAuth tls.ClientAuthType + certAuthorities *x509.CertPool + peerCerts []*x509.Certificate + serverName string + expectedCallback bool + expectedError error + }{ + "default verification without certificates when required": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + peerCerts: nil, + serverName: "", + expectedCallback: true, + expectedError: MissingPeerCertificate, + }, + "default verification with certificates when required with expired cert": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["expired"]}, + serverName: "", + expectedCallback: true, + expectedError: x509.CertificateInvalidError{Cert: testCerts["expired"], Reason: x509.Expired}, + }, + "default verification with certificates when required with incorrect server name in cert": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "bad.example.com", + expectedCallback: true, + expectedError: x509.HostnameError{Certificate: testCerts["correct"], Host: "bad.example.com"}, + }, + "default verification with certificates when required with correct cert": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "localhost", + expectedCallback: true, + expectedError: nil, + }, + "certificate verification with certificates when required with correct cert": { + verificationMode: VerifyCertificate, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "localhost", + expectedCallback: true, + expectedError: nil, + }, + "certificate verification with certificates when required with expired cert": { + verificationMode: VerifyCertificate, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["expired"]}, + serverName: "localhost", + expectedCallback: true, + expectedError: x509.CertificateInvalidError{Cert: testCerts["expired"], Reason: x509.Expired}, + }, + "certificate verification with certificates when required with incorrect server name in cert": { + verificationMode: VerifyCertificate, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "bad.example.com", + expectedCallback: true, + expectedError: nil, + }, + "strict verification with certificates when required with correct cert": { + verificationMode: VerifyStrict, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "localhost", + expectedCallback: false, + expectedError: nil, + }, + "default verification with certificates when required with cert signed by unkown authority": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["unknown authority"]}, + serverName: "", + expectedCallback: true, + expectedError: x509.UnknownAuthorityError{Cert: testCerts["unknown authority"]}, + }, + "default verification without certificates not required": { + verificationMode: VerifyFull, + clientAuth: tls.NoClientCert, + peerCerts: nil, + serverName: "", + expectedCallback: true, + expectedError: nil, + }, + "no verification without certificates not required": { + verificationMode: VerifyNone, + clientAuth: tls.NoClientCert, + peerCerts: nil, + serverName: "", + expectedError: nil, + }, + } + + for name, test := range testcases { + t.Run(name, func(t *testing.T) { + test := test + cfg := &TLSConfig{ + Verification: test.verificationMode, + ClientAuth: test.clientAuth, + ClientCAs: test.certAuthorities, + } + + verifier := makeVerifyServerConnection(cfg) + if !test.expectedCallback { + assert.Nil(t, verifier) + return + } + + err := verifier(tls.ConnectionState{ + PeerCertificates: test.peerCerts, + ServerName: test.serverName, + }) + if test.expectedError == nil { + assert.Nil(t, err) + } else { + assert.Error(t, test.expectedError, err) + } + }) + } + +} + +func openTestCerts() (map[string]*x509.Certificate, error) { + certs := make(map[string]*x509.Certificate, 0) + + for testcase, certname := range map[string]string{ + "expired": "tls.crt", + "unknown authority": "unsigned_tls.crt", + "correct": "client1.crt", + } { + + certBytes, err := ioutil.ReadFile(filepath.Join("testdata", certname)) + if err != nil { + return nil, err + } + block, _ := pem.Decode(certBytes) + testCert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return nil, err + } + certs[testcase] = testCert + } + + return certs, nil +} diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go index 53e9da18db3..45c0ebf1f7f 100644 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ b/libbeat/common/transport/tlscommon/tls_test.go @@ -132,12 +132,12 @@ func TestApplyEmptyConfig(t *testing.T) { t.Fatal(err) } - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) assert.Len(t, cfg.Certificates, 0) assert.Nil(t, cfg.RootCAs) - assert.Equal(t, false, cfg.InsecureSkipVerify) + assert.Equal(t, true, cfg.InsecureSkipVerify) assert.Len(t, cfg.CipherSuites, 0) assert.Len(t, cfg.CurvePreferences, 0) assert.Equal(t, tls.RenegotiateNever, cfg.Renegotiation) @@ -159,7 +159,7 @@ func TestApplyWithConfig(t *testing.T) { t.Fatal(err) } - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) assert.Len(t, cfg.Certificates, 1) assert.NotNil(t, cfg.RootCAs) @@ -184,7 +184,7 @@ key: mykey.pem tmp, err := LoadTLSServerConfig(&c) require.NoError(t, err) - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) // values not set by default @@ -193,7 +193,7 @@ key: mykey.pem assert.Len(t, cfg.CipherSuites, 0) assert.Len(t, cfg.CurvePreferences, 0) // values set by default - assert.Equal(t, false, cfg.InsecureSkipVerify) + assert.Equal(t, true, cfg.InsecureSkipVerify) assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) assert.Equal(t, tls.NoClientCert, cfg.ClientAuth) @@ -213,7 +213,7 @@ key: mykey.pem tmp, err := LoadTLSServerConfig(&c) require.NoError(t, err) - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) // values not set by default @@ -222,7 +222,7 @@ key: mykey.pem assert.Len(t, cfg.CipherSuites, 0) assert.Len(t, cfg.CurvePreferences, 0) // values set by default - assert.Equal(t, false, cfg.InsecureSkipVerify) + assert.Equal(t, true, cfg.InsecureSkipVerify) assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) assert.Equal(t, tls.RequireAndVerifyClientCert, cfg.ClientAuth) @@ -260,7 +260,7 @@ func TestApplyWithServerConfig(t *testing.T) { return } - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) assert.Len(t, cfg.Certificates, 1) assert.NotNil(t, cfg.ClientCAs) diff --git a/libbeat/common/transport/tlscommon/types.go b/libbeat/common/transport/tlscommon/types.go index c130a57c71a..29b11c92010 100644 --- a/libbeat/common/transport/tlscommon/types.go +++ b/libbeat/common/transport/tlscommon/types.go @@ -127,11 +127,13 @@ const ( VerifyFull TLSVerificationMode = iota VerifyNone VerifyCertificate + VerifyStrict ) var tlsVerificationModes = map[string]TLSVerificationMode{ "": VerifyFull, "full": VerifyFull, + "strict": VerifyStrict, "none": VerifyNone, "certificate": VerifyCertificate, } diff --git a/libbeat/common/transport/tlscommon/verify.go b/libbeat/common/transport/tlscommon/validhostname.go similarity index 59% rename from libbeat/common/transport/tlscommon/verify.go rename to libbeat/common/transport/tlscommon/validhostname.go index 867e70874a9..15370b4d4f9 100644 --- a/libbeat/common/transport/tlscommon/verify.go +++ b/libbeat/common/transport/tlscommon/validhostname.go @@ -43,58 +43,55 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// This file contains code adapted from golang's crypto/tls/handshake_client.go +// This file contains code adapted from golang's crypto/x509/verify.go package tlscommon -import ( - "crypto/x509" - "time" +import "strings" - "github.com/pkg/errors" -) - -// verifyCertificateExceptServerName is a TLS Certificate verification utility method that verifies that the provided -// certificate chain is valid and is signed by one of the root CAs in the provided tls.Config. It is intended to be -// as similar as possible to the default verify, but does not verify that the provided certificate matches the -// ServerName in the tls.Config. -func verifyCertificateExceptServerName( - rawCerts [][]byte, - c *TLSConfig, -) ([]*x509.Certificate, [][]*x509.Certificate, error) { - // this is where we're a bit suboptimal, as we have to re-parse the certificates that have been presented - // during the handshake. - // the verification code here is taken from verifyServerCertificate in crypto/tls/handshake_client.go:824 - certs := make([]*x509.Certificate, len(rawCerts)) - for i, asn1Data := range rawCerts { - cert, err := x509.ParseCertificate(asn1Data) - if err != nil { - return nil, nil, errors.Wrap(err, "tls: failed to parse certificate from server") - } - certs[i] = cert +// validHostname reports whether host is a valid hostname that can be matched or +// matched against according to RFC 6125 2.2, with some leniency to accommodate +// legacy values. +func validHostname(host string, isPattern bool) bool { + if !isPattern { + host = strings.TrimSuffix(host, ".") } - - var t time.Time - if c.time != nil { - t = c.time() - } else { - t = time.Now() - } - - // DNSName omitted in VerifyOptions in order to skip ServerName verification - opts := x509.VerifyOptions{ - Roots: c.RootCAs, - CurrentTime: t, - Intermediates: x509.NewCertPool(), + if len(host) == 0 { + return false } - for _, cert := range certs[1:] { - opts.Intermediates.AddCert(cert) + for i, part := range strings.Split(host, ".") { + if part == "" { + // Empty label. + return false + } + if isPattern && i == 0 && part == "*" { + // Only allow full left-most wildcards, as those are the only ones + // we match, and matching literal '*' characters is probably never + // the expected behavior. + continue + } + for j, c := range part { + if 'a' <= c && c <= 'z' { + continue + } + if '0' <= c && c <= '9' { + continue + } + if 'A' <= c && c <= 'Z' { + continue + } + if c == '-' && j != 0 { + continue + } + if c == '_' { + // Not a valid character in hostnames, but commonly + // found in deployments outside the WebPKI. + continue + } + return false + } } - headCert := certs[0] - - // defer to the default verification performed - chains, err := headCert.Verify(opts) - return certs, chains, err + return true } diff --git a/libbeat/common/transport/tlscommon/verify_test.go b/libbeat/common/transport/tlscommon/verify_test.go deleted file mode 100644 index c08e60642f5..00000000000 --- a/libbeat/common/transport/tlscommon/verify_test.go +++ /dev/null @@ -1,110 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "crypto/x509" - "encoding/pem" - "io/ioutil" - "path/filepath" - "testing" - "time" - - "github.com/stretchr/testify/assert" -) - -// This does not actually test that it ignores the server name because no part of the func even consumes the server name -func Test_verifyCertificateExceptServerName(t *testing.T) { - - tests := []struct { - name string - ca string - chain string - cert string - time func() time.Time - wantErr bool - }{ - { - name: "happy path", - // a CA for morello.ovh valid from August 9 2019 to 2029 - ca: "ca.crt", - // a cert signed by morello.ovh that expired in nov 2019 - cert: "tls.crt", - time: func() time.Time { - layout := "2006-01-02" - t, _ := time.Parse(layout, "2019-10-01") - return t - }, - wantErr: false, - }, - { - name: "cert not signed by CA", - ca: "ca.crt", - // a self-signed cert for www.example.com valid from July 23 2020 to 2030 - cert: "unsigned_tls.crt", - time: func() time.Time { - layout := "2006-01-02" - t, _ := time.Parse(layout, "2020-07-24") - return t - }, - wantErr: true, - }, - { - name: "cert expired", - ca: "ca.crt", - cert: "tls.crt", - wantErr: true, - }, - } - - for _, tc := range tests { - t.Run(tc.name, func(t *testing.T) { - cfg := &TLSConfig{time: tc.time} - // load the CA - if tc.ca != "" { - ca := loadFileBytes(tc.ca) - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(ca) - cfg.RootCAs = caCertPool - } - - // load the cert - rawCerts := [][]byte{} - if tc.cert != "" { - pemCert := loadFileBytes(tc.cert) - block, _ := pem.Decode(pemCert) - rawCerts = append(rawCerts, block.Bytes) - } - - _, _, got := verifyCertificateExceptServerName(rawCerts, cfg) - if tc.wantErr { - assert.Error(t, got) - } else { - assert.NoError(t, got) - } - }) - } -} - -func loadFileBytes(fileName string) []byte { - contents, err := ioutil.ReadFile(filepath.Join("testdata", fileName)) - if err != nil { - panic(err) - } - return contents -} diff --git a/libbeat/common/transport/transptest/testing.go b/libbeat/common/transport/transptest/testing.go index 64763ba9b71..1649957c624 100644 --- a/libbeat/common/transport/transptest/testing.go +++ b/libbeat/common/transport/transptest/testing.go @@ -135,7 +135,7 @@ func NewMockServerTLS(t *testing.T, to time.Duration, cert string, proxy *transp t.Fatalf("failed to load certificate") } - listener := tls.NewListener(tcpListener, tlsConfig.BuildModuleConfig("")) + listener := tls.NewListener(tcpListener, tlsConfig.BuildServerConfig("")) server := &MockServer{Listener: listener, Timeout: to} server.Handshake = func(client net.Conn) { diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index 906aa673a14..89578a6f7a2 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 8.0.0 :doc-branch: master -:go-version: 1.14.12 +:go-version: 1.15.7 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/libbeat/outputs/kafka/config.go b/libbeat/outputs/kafka/config.go index b3c8e984fe9..56708841750 100644 --- a/libbeat/outputs/kafka/config.go +++ b/libbeat/outputs/kafka/config.go @@ -227,7 +227,7 @@ func newSaramaConfig(log *logp.Logger, config *kafkaConfig) (*sarama.Config, err if tls != nil { k.Net.TLS.Enable = true - k.Net.TLS.Config = tls.BuildModuleConfig("") + k.Net.TLS.Config = tls.BuildModuleClientConfig("") } switch { diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index 324f98c8d6d..4b76f73bafb 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt update \ diff --git a/metricbeat/helper/server/http/http.go b/metricbeat/helper/server/http/http.go index b4bd17477b6..3fe02001d7a 100644 --- a/metricbeat/helper/server/http/http.go +++ b/metricbeat/helper/server/http/http.go @@ -76,7 +76,7 @@ func getDefaultHttpServer(mb mb.BaseMetricSet) (*HttpServer, error) { Addr: net.JoinHostPort(config.Host, strconv.Itoa(int(config.Port))), } if tlsConfig != nil { - httpServer.TLSConfig = tlsConfig.BuildModuleConfig(config.Host) + httpServer.TLSConfig = tlsConfig.BuildModuleClientConfig(config.Host) } h.server = httpServer return h, nil diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index f7530d7e386..f48de895ab6 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -1306,6 +1306,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1433,6 +1439,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1630,6 +1642,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1786,6 +1804,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2082,6 +2106,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2279,6 +2309,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/metricbeat/module/http/_meta/Dockerfile b/metricbeat/module/http/_meta/Dockerfile index 132ad0271df..9d104c32a7e 100644 --- a/metricbeat/module/http/_meta/Dockerfile +++ b/metricbeat/module/http/_meta/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.7 +FROM golang:1.15.7 COPY test/main.go main.go diff --git a/metricbeat/module/kafka/metricset.go b/metricbeat/module/kafka/metricset.go index 73c1be02218..5ec46332b35 100644 --- a/metricbeat/module/kafka/metricset.go +++ b/metricbeat/module/kafka/metricset.go @@ -49,7 +49,7 @@ func NewMetricSet(base mb.BaseMetricSet, options MetricSetOptions) (*MetricSet, var tls *tls.Config if tlsCfg != nil { - tls = tlsCfg.BuildModuleConfig("") + tls = tlsCfg.BuildModuleClientConfig("") } timeout := base.Module().Config().Timeout diff --git a/metricbeat/module/mongodb/metricset.go b/metricbeat/module/mongodb/metricset.go index b1b09a7ac4d..dc329b57f25 100644 --- a/metricbeat/module/mongodb/metricset.go +++ b/metricbeat/module/mongodb/metricset.go @@ -65,7 +65,7 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { logp.Warn("Failed to obtain hostname from `%s`: %s", hostname, err) hostname = "" } - return tls.Dial("tcp", addr.String(), tlsConfig.BuildModuleConfig(hostname)) + return tls.Dial("tcp", addr.String(), tlsConfig.BuildModuleClientConfig(hostname)) } } diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index 2b0faecc26f..6c5abe6309a 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 57142c14263..9737223098b 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -1024,6 +1024,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1151,6 +1157,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1348,6 +1360,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1504,6 +1522,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1800,6 +1824,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1997,6 +2027,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/testing/environments/docker/logstash/gencerts.sh b/testing/environments/docker/logstash/gencerts.sh index a04742a7672..fa53523e979 100755 --- a/testing/environments/docker/logstash/gencerts.sh +++ b/testing/environments/docker/logstash/gencerts.sh @@ -2,4 +2,4 @@ mkdir -p pki/tls/certs mkdir -p pki/tls/private -openssl req -subj '/CN=logstash/' -x509 -days $((100 * 365)) -batch -nodes -newkey rsa:2048 -keyout pki/tls/private/logstash.key -out pki/tls/certs/logstash.crt +openssl req -subj '/CN=logstash/' -x509 -days $((100 * 365)) -batch -nodes -newkey rsa:2048 -keyout pki/tls/private/logstash.key -out pki/tls/certs/logstash.crt -config ssl.conf diff --git a/testing/environments/docker/logstash/pki/tls/certs/logstash.crt b/testing/environments/docker/logstash/pki/tls/certs/logstash.crt index 1b18ba84a20..08d2903c7d7 100644 --- a/testing/environments/docker/logstash/pki/tls/certs/logstash.crt +++ b/testing/environments/docker/logstash/pki/tls/certs/logstash.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC+zCCAeOgAwIBAgIJALOvd7vXvRrFMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV -BAMMCGxvZ3N0YXNoMCAXDTE2MDgyNjEyMzMyNFoYDzIxMTYwODAyMTIzMzI0WjAT -MREwDwYDVQQDDAhsb2dzdGFzaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAKw5gLdWfqG9eraHrAAfSn2NbemYq32YZgbwJGaM9SlY3DDHB1MgBKBjpzPW -FavMO4xaDcfFhZbBJXwCVjPJe3ORQeoHgm3hG2er6JtCXlt3vto8FVbs9H4jd3+U -gH4cNdomgtYh3lBobZFKOa/+mZvjQxsK71KM2Gwk4b5gnV9iLaXzAGRWmY1dlHkE -Gki4WGNg0FlGf7aDJXZK2Yyq8MmiMfUEIZ2sDRjO3f/rCLdz3amG4gJtDllekz5l -lUTLccvtTWstJiKIx1zIAUEvTqaqInjMiJkjQtwazlc9w5ofmauxI6bb9L3L1ZJX -rrt+u5mg8Mc/w63+GuS8ZETbAacCAwEAAaNQME4wHQYDVR0OBBYEFA9Ug44w4XmN -r0z225Zt1zjjrKtoMB8GA1UdIwQYMBaAFA9Ug44w4XmNr0z225Zt1zjjrKtoMAwG -A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABwl9KCqg69dv2XNZ95VCdk7 -mAT0LcUbd0FyrzDibNolzx9OlymWYiIxe86KdZsWzgBUcm9Q3Gg+TzAs7UyyfqSp -LR5fgGGIz9PCuuoFBdZCppPL9Y3Dryi91lPXveDUh5zIemOU9Jf6Ni0XVrRsO9C8 -aoY7SLtl1W7du3Nm+ZFH8T0wCcBFaYttmHejyu311ZDyAF0suu6Qu8NAWFrr5QGe -hA8VcImc335VQntT9EcztHhoyt1aW96BxLU9L4kdSZLJ6FVZrGij7IpZNipUQB8p -bPEL9KuQUDHKjoCx2YaNZqmuZ73m6u84TiTxgDYgChSfYASRXyCq90rQrQHVF74= +MIIC+jCCAeKgAwIBAgIUImV3iegTZ0b1zTQna2L4aVKmq1owDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwIbG9nc3Rhc2gwIBcNMjAxMTEwMDkwMDQ4WhgPMjEyMDEw +MTcwOTAwNDhaMBMxETAPBgNVBAMMCGxvZ3N0YXNoMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAxYKH925nceZVxHZZskBaMuUIlI8tLRMY6EeXBvsDzrqi +4+pRFSCJU45wZKhOFi/EigWxk8TqfrHqYbpe9Cbxmngup2xvhgDC2Kmr3R/SKARW +zKCAbwLiDcf0yiJyT98AVOdUXuQ7HHC9m8D3Ohp1knYEmV8dJGtiFE1vW3FtYsUW +p0MOu5WG2iOitaWTIdXmqxwxuK6Jo4I3znReS0PSBwLFXKwWzjEcM9yvXPtubIc6 +1mbbF1Stf0GvGxmOs9u3JCNJXQvTuyJ+O7OrUbnk9vN8nmS/w9GSlM1PqwUNrWIB +X0uHazTU8mSFk3QI8M3kBFfFIN5dL9zIXLGFdJYvfwIDAQABo0QwQjALBgNVHQ8E +BAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHgYDVR0RBBcwFYIIbG9nc3Rhc2iC +CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEATBSnhUXJuf5whNmBE9OdoMJK +tgSaBx/FGq1tJp6jHkI1i4Oii3Wizs6K4tmWEqepu8MB0IVXJUkxGgh70DD3svKV +1En1zNOkUoI/lAwPBMHOl9oq2Z/u4E1dOydzyLQLDBg0fLC1Ui06NfdJRONOovoX +g3DD4IR6DODVtlGqRnON24H04OvZ3VWfbumkurp2XMvv8cooKQOLcMZ4dLVEyJxm +AEyC6pxuMsY32p/vtVjKarElqOnNAJ9xxS6IPczMgAXUMaxr5cZFMQSrdju9lVh4 +kpY5UglFiIJ/yHdlD5c4O8tK93qJ0Xgo7I7ujm38S38itrShpclXiAfW1rJ/2w== -----END CERTIFICATE----- diff --git a/testing/environments/docker/logstash/pki/tls/private/logstash.key b/testing/environments/docker/logstash/pki/tls/private/logstash.key index 9d3234d202e..83d14841286 100644 --- a/testing/environments/docker/logstash/pki/tls/private/logstash.key +++ b/testing/environments/docker/logstash/pki/tls/private/logstash.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCsOYC3Vn6hvXq2 -h6wAH0p9jW3pmKt9mGYG8CRmjPUpWNwwxwdTIASgY6cz1hWrzDuMWg3HxYWWwSV8 -AlYzyXtzkUHqB4Jt4Rtnq+ibQl5bd77aPBVW7PR+I3d/lIB+HDXaJoLWId5QaG2R -Sjmv/pmb40MbCu9SjNhsJOG+YJ1fYi2l8wBkVpmNXZR5BBpIuFhjYNBZRn+2gyV2 -StmMqvDJojH1BCGdrA0Yzt3/6wi3c92phuICbQ5ZXpM+ZZVEy3HL7U1rLSYiiMdc -yAFBL06mqiJ4zIiZI0LcGs5XPcOaH5mrsSOm2/S9y9WSV667fruZoPDHP8Ot/hrk -vGRE2wGnAgMBAAECggEAArbxUXJ6koATFBd1XZcgrHPzPJBce6FQUmGsoTUtlBZD -ej1Y3zWM/R40/3srYkbY1XCB8Rkq7uJifd7nju9pE7xBZrfxlVvL+8lY5EGajSSJ -DJWP3Ivlmqticc9cayB0tNiQjWGBSJEs0PJzkFOaBjwBzcZRWWLA8otuR3rsYBl8 -cb7dV3HV4Z50Qto1ABoUWH2DGz7nX9HCr/SR1ayR1hWHCwv2Q4KQ5wJkmTKmaSNZ -I2464JXvufM9XiV9Fjy4RdiCN3sVXQcUIJ1hY+qGXsR0DUc5lOmw9Eu4SbJgdExR -EWoX4BqJuHrjCeKRF6rsDf5ocAS2cxATbQr1mEbW0QKBgQDWmZMO9TtL+pmJNmoP -g+HzgopBnMLxctcjVOEysuWgZyWYz9sFbCj6Udp2Q/9hjoVYRba3IXEHSsA2mdcY -KKcWbjEOYE+xL6oDXiZRkiJ+Poix9dOnTBg+lt2SKjphuNWnLe3jqfQhZxfV40Nf -60Wx6NGC7Dzlf+pAmkOA12BX2QKBgQDNcyTwnShbVrWzNRpzRe7RSHaAq6jSu1Yi -6dY/8bWTInVhPjB3xUGL0ckiMpDMoi0mxtnBmahvK59GPj3jhz+9HZqG6dSS6Fok -eS104GM7pCWyf66Rd9k8xu5IdrMM9Sveu24s21jgOJDtZtAplP1hsDMxxuaAEDVv -c0RwoKu1fwKBgDL0SheuIMM8oIIU+n/ul5LjNwK3Pw5nby/DcqlAEwfQFfw/tkiG -UwCEuPOF17iJR54bB3RaK2VI2XTdeFYTKQFJbrp0Idf3ck3UaBLMOQZywLBIp1W8 -2rDZz4hqIGydn5VPcYGyE/ZubRlrGc9HpMfGeSC2CQuRIMTwHAEWopiZAoGAZpKm -Trsn+vI/pUlN+19e7H4RLAyILS36w1Ob9DDpRpxdnj8+U43YO8ZxdPFp+cC+ai29 -ajsdLOPKkXdhzscnu3OcQt9bkj0PREZ7u26MHKrHZ2b38Qi1HPL05JjerAl77agG -Sb75kHitYtmB9EC+gJdH+AIl8qolA4+5C8Ir+GECgYBJgkoapPrGgSzCWHH6WpVZ -wrpZJ/rj6685J9K/ji3nHXj7gS4MzEzrtVK2K3aFjIjQe/zXJDI+dxrSCNfYFuQD -YJh+siGPF7Gosyht3ec0vUg7gY7Do1FzwL2H/OxvnaNEO+PPidXGOu/wHV5fMZJ1 -O2aLO5ZIygL6YcVr+vdm1A== +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFgof3bmdx5lXE +dlmyQFoy5QiUjy0tExjoR5cG+wPOuqLj6lEVIIlTjnBkqE4WL8SKBbGTxOp+seph +ul70JvGaeC6nbG+GAMLYqavdH9IoBFbMoIBvAuINx/TKInJP3wBU51Re5DsccL2b +wPc6GnWSdgSZXx0ka2IUTW9bcW1ixRanQw67lYbaI6K1pZMh1earHDG4romjgjfO +dF5LQ9IHAsVcrBbOMRwz3K9c+25shzrWZtsXVK1/Qa8bGY6z27ckI0ldC9O7In47 +s6tRueT283yeZL/D0ZKUzU+rBQ2tYgFfS4drNNTyZIWTdAjwzeQEV8Ug3l0v3Mhc +sYV0li9/AgMBAAECggEAXnrge7YuecfLQ12x7pjmDO6OujH7VFKMWaDVWBt/aMbS +4N/XxZl416WNkjkIkYhsJfIvThambdDB49n5TiXK8S+IccJnXtzCWE5hzjdImqfo +tZ4ZkgD5DcqXCJKNyDNOv06hh3r549LygK1AFmVN1K/r50oecKuFkVyxZjbOMq5o +pKuNOiYWYki1FXd0kVd2yLy4ZKejrgMqwKk06xpeY4o9UfWSeMHaG+rlYsxxO/Fe +3o1FueAFNdJv553xzzmjCDI6YVq43izoF11/Q6K0HHvqwPkpNEFo9ChzPuLmvwOd +3Pyif53aVyOWg01sIp7NXzrUMrBoku3QcDtvGvrm8QKBgQD5vyP6LqbaXZ33DX2N +NpxgEpp2H44KCSfuxc1+mu4IpwOKIdX2bqjkcfGqbU5uBammdwYB78ro++YP0qR/ +6MTVyJwbMxlutOHJY/FLDnh+KZdPSBmJmce62khU/+eCATwQJeHCiktK9GxLisq6 +nBlkWLfkLVtGMduq1JwO4lWf4wKBgQDKdI5yfj1GKkAR4DPUp+OBZo1RsSJj5A0H +qMS/eudKTGj9Gi6Xiw200+x6fpzRCWCzUmS3c+QfTXMgNJEBjhhIYSb3IRo1p7Gf +M3chbN53SZyYf6msQ4b7oRiGZFDtoYNm0v4lqIxuoNi98CGxGtmz1W6gejpFyb1Y +A+EkRbSMtQKBgQDb7WZROiPUx/wDQu39HMo4ECnVO5RpYga4TZfYlbZoCCslyQYS +LQCtq2mVGwyl9nafENFJg1C8Opct9+DEgsZTPIW7rhQHWWI7Zrdl0ShqcVW9i1Bx +y+oGsZJgx7mm0k+CKNnV5tLG/tce7un3yt7Rbw8A8LAf8Gfw16lVshqU4QKBgHzZ +WgrzHJhLb81WRMBMdHkVI+sP4FRXi02A3yvx//YKnugOoFLl9qLf2cJEmDI0pUSQ +d/nF5xUCrw9aO14JIaJo/x2BdWdHLbsugrXDLIHFjGNivuCzl+dPFg+yh1Gzu5PK +Y94XTdrfKCohjrVoCH7lDN674XmuCizf35R9w/TNAoGBAKqaP7TTSafEs9ugsAgt +u3RXBbd9OA8u9tLKEBys/f9XoDPYWZ5Ar8a0LjpubcC5V14S7KwBYdiTN0ynaPGK +NI89jze9Y4ByiBWIalXjR6CWh3VlBiUGYONUjxOHaoMGrbYxYACNvJYtqjlQS1yN +LJN6nFfCs4U6TgQ4XBCdVAFO -----END PRIVATE KEY----- diff --git a/testing/environments/docker/logstash/ssl.conf b/testing/environments/docker/logstash/ssl.conf new file mode 100644 index 00000000000..13fbe0dd2bf --- /dev/null +++ b/testing/environments/docker/logstash/ssl.conf @@ -0,0 +1,18 @@ +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_req +prompt = no +[req_distinguished_name] +C = US +ST = VA +L = SomeCity +O = Elastic +OU = Observability +CN = elastic.co +[v3_req] +keyUsage = keyEncipherment, dataEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[alt_names] +DNS.1 = logstash +DNS.2 = localhost diff --git a/winlogbeat/eventlog/bench_test.go b/winlogbeat/eventlog/bench_test.go index df3417eb611..ffecb69672f 100644 --- a/winlogbeat/eventlog/bench_test.go +++ b/winlogbeat/eventlog/bench_test.go @@ -37,7 +37,7 @@ const gigabyte = 1 << 30 var ( benchTest = flag.Bool("benchtest", false, "Run benchmarks for the eventlog package.") - injectAmount = flag.Int("inject", 1E6, "Number of events to inject before running benchmarks.") + injectAmount = flag.Int("inject", 1e6, "Number of events to inject before running benchmarks.") ) // TestBenchmarkRead benchmarks each event log reader implementation with diff --git a/winlogbeat/tests/system/test_config.py b/winlogbeat/tests/system/test_config.py index 18df0594fca..065de09fc53 100644 --- a/winlogbeat/tests/system/test_config.py +++ b/winlogbeat/tests/system/test_config.py @@ -36,7 +36,7 @@ def test_invalid_ignore_older(self): ) self.run_config_tst(exit_code=1) assert self.log_contains( - "unknown unit hour in duration 1 hour " + "unknown unit \" hour\" in duration \"1 hour\" " "accessing 'winlogbeat.event_logs.0.ignore_older'") def test_invalid_level(self): diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index 316df4ae3dd..5eafb6ae1cb 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -452,6 +452,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -579,6 +585,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -776,6 +788,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -932,6 +950,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1228,6 +1252,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1425,6 +1455,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index ec3ef722b0c..9395908a0de 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -585,6 +585,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -712,6 +718,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -909,6 +921,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1065,6 +1083,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1361,6 +1385,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1558,6 +1588,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go index fbb790479c7..4158ba554ef 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go +++ b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go @@ -7,6 +7,7 @@ package pipelinemanager import ( "os" "path/filepath" + "strconv" "sync" "testing" "time" @@ -84,7 +85,7 @@ func createNewClient(t *testing.T, logString string, mockConnector *pipelinemock info := logger.Info{ ContainerID: "b87d3b0379f816a5f2f7070f28cc05e2f564a3fb549a67c64ec30fc5b04142ed", - LogPath: filepath.Join("/tmp/dockerbeattest/", string(time.Now().Unix())), + LogPath: filepath.Join("/tmp/dockerbeattest/", strconv.FormatInt(time.Now().Unix(), 10)), } err = os.MkdirAll(filepath.Dir(info.LogPath), 0755) diff --git a/x-pack/elastic-agent/pkg/agent/operation/common_test.go b/x-pack/elastic-agent/pkg/agent/operation/common_test.go index 43cab2fd3b4..2ec6b531456 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/common_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/common_test.go @@ -76,7 +76,7 @@ func getTestOperator(t *testing.T, downloadPath string, installPath string, p *a } operator.config.DownloadConfig.OperatingSystem = "darwin" - operator.config.DownloadConfig.Architecture = "32" + operator.config.DownloadConfig.Architecture = "64" // make the download path so the `operation_verify` can ensure the path exists downloadConfig := operator.config.DownloadConfig @@ -101,7 +101,7 @@ func getProgram(binary, version string) *app.Descriptor { downloadCfg := &artifact.Config{ InstallPath: installPath, OperatingSystem: "darwin", - Architecture: "32", + Architecture: "64", } return app.NewDescriptor(spec, version, downloadCfg, nil) } diff --git a/x-pack/elastic-agent/pkg/core/authority/ca.go b/x-pack/elastic-agent/pkg/core/authority/ca.go index 2ddeae70410..f558e8a9eb3 100644 --- a/x-pack/elastic-agent/pkg/core/authority/ca.go +++ b/x-pack/elastic-agent/pkg/core/authority/ca.go @@ -38,10 +38,10 @@ type Pair struct { // NewCA creates a new certificate authority capable of generating child certificates func NewCA() (*CertificateAuthority, error) { ca := &x509.Certificate{ + DNSNames: []string{"localhost"}, SerialNumber: big.NewInt(1653), Subject: pkix.Name{ Organization: []string{"elastic-fleet"}, - CommonName: "localhost", }, NotBefore: time.Now(), NotAfter: time.Now().AddDate(10, 0, 0), @@ -101,13 +101,13 @@ func (c *CertificateAuthority) GeneratePair() (*Pair, error) { } // GeneratePairWithName generates child certificate with provided name as the common name. -func (c *CertificateAuthority) GeneratePairWithName(commonName string) (*Pair, error) { +func (c *CertificateAuthority) GeneratePairWithName(name string) (*Pair, error) { // Prepare certificate certTemplate := &x509.Certificate{ SerialNumber: big.NewInt(1658), + DNSNames: []string{name}, Subject: pkix.Name{ Organization: []string{"elastic-fleet"}, - CommonName: commonName, }, NotBefore: time.Now(), NotAfter: time.Now().AddDate(10, 0, 0), diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 0fd068e1963..242b551c510 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -3207,6 +3207,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3334,6 +3340,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3531,6 +3543,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3687,6 +3705,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3983,6 +4007,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -4180,6 +4210,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/filebeat/input/http_endpoint/input.go b/x-pack/filebeat/input/http_endpoint/input.go index bddf2be0a9e..2c799c1f14f 100644 --- a/x-pack/filebeat/input/http_endpoint/input.go +++ b/x-pack/filebeat/input/http_endpoint/input.go @@ -59,7 +59,7 @@ func newHTTPEndpoint(config config) (*httpEndpoint, error) { return nil, err } if tlsConfigBuilder != nil { - tlsConfig = tlsConfigBuilder.BuildModuleConfig(addr) + tlsConfig = tlsConfigBuilder.BuildModuleClientConfig(addr) } return &httpEndpoint{ diff --git a/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go b/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go index 9045108c449..0fba76aaab6 100644 --- a/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go +++ b/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go @@ -6,6 +6,7 @@ package template import ( "fmt" + "strconv" "sync" "testing" @@ -61,8 +62,8 @@ func ValidateTemplate(t testing.TB, template *Template) bool { func AssertFieldsEquals(t testing.TB, expected []FieldTemplate, actual []FieldTemplate) (succeeded bool) { if succeeded = assert.Len(t, actual, len(expected)); succeeded { for idx := range expected { - succeeded = assert.Equal(t, expected[idx].Length, actual[idx].Length, string(idx)) && succeeded - succeeded = assert.Equal(t, expected[idx].Info, actual[idx].Info, string(idx)) && succeeded + succeeded = assert.Equal(t, expected[idx].Length, actual[idx].Length, strconv.Itoa(idx)) && succeeded + succeeded = assert.Equal(t, expected[idx].Info, actual[idx].Info, strconv.Itoa(idx)) && succeeded } } return diff --git a/x-pack/functionbeat/Dockerfile b/x-pack/functionbeat/Dockerfile index 907a989eb4d..77daddd7a86 100644 --- a/x-pack/functionbeat/Dockerfile +++ b/x-pack/functionbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index b41a4035d68..d96ab60094e 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -815,6 +815,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -942,6 +948,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1221,6 +1233,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1418,6 +1436,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml index 37e3e2ed122..e39dfa16d69 100644 --- a/x-pack/heartbeat/heartbeat.reference.yml +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -707,6 +707,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -834,6 +840,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1031,6 +1043,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1187,6 +1205,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1483,6 +1507,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1680,6 +1710,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/libbeat/Dockerfile b/x-pack/libbeat/Dockerfile index 06ca7a1ffad..1a0c44db398 100644 --- a/x-pack/libbeat/Dockerfile +++ b/x-pack/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/x-pack/metricbeat/Jenkinsfile.yml b/x-pack/metricbeat/Jenkinsfile.yml index 8406f20f5ac..19f9941ee47 100644 --- a/x-pack/metricbeat/Jenkinsfile.yml +++ b/x-pack/metricbeat/Jenkinsfile.yml @@ -115,14 +115,14 @@ stages: - "windows-7" branches: true ## for all the branches tags: true ## for all the tags - windows-7-32: - mage: "mage build unitTest" - platforms: ## override default labels in this specific stage. - - "windows-7-32-bit" - when: ## Override the top-level when. - comments: - - "/test x-pack/metricbeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags +# windows-7-32: +# mage: "mage build unitTest" +# platforms: ## override default labels in this specific stage. +# - "windows-7-32-bit" +# when: ## Override the top-level when. +# comments: +# - "/test x-pack/metricbeat for windows-7-32" +# labels: +# - "windows-7-32" +# branches: true ## for all the branches +# tags: true ## for all the tags diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 66c0e02eaa2..c003205f76c 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -1807,6 +1807,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1934,6 +1940,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2131,6 +2143,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2287,6 +2305,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2583,6 +2607,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2780,6 +2810,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml index 57142c14263..9737223098b 100644 --- a/x-pack/packetbeat/packetbeat.reference.yml +++ b/x-pack/packetbeat/packetbeat.reference.yml @@ -1024,6 +1024,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1151,6 +1157,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1348,6 +1360,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1504,6 +1522,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1800,6 +1824,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1997,6 +2027,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 03652ce2788..43427ba20f6 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -495,6 +495,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -622,6 +628,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -819,6 +831,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -975,6 +993,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1271,6 +1295,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1468,6 +1498,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary